current Splunk architecture:
a standalone search head + an indexer cluster (contains three indexers)+ a cluster master node
I want to convert it into a distributed search with a search header + an indexer ? And without losing any data — how can I do that? I didn't find the answer in the official document.
Sorry @bestSplunker it seems the scope of your question changed. So no, a single indexer most likely doesn't contain all the data. To transform an indexer cluster into a single indexer you need to decommission one where indexer at a time so the cluster master will order the copy of buckets to the remaining machines in the cluster.
If you want one of the current indexers to contain all the buckets:
1 Choose one of the machines to be the remaining one.
2 Put the remaining two in detention mode so they won't be getting more data from replicstion process when you take decommission another peer: https://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Peerdetention
3 decommission one peer at a time using Splunk offline enforce counts command so the buckets from that peer are copied to the one you elected as the remaining one after this whole process is finished. https://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Takeapeeroffline
4 check on your cluster master when bucket fixing process has finished, meaning the necessary bucket replicstion happened to fulfill your Replication and Search factors.
When it is finished, repeat step 3 and 4 until you have one indexer only. It will have all the buckets and all will be searchable. Consider storage capacity for this.
5 remove the peers from the cluster until none is left (since you want only a single machine without any clustering activity)
https://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Removepeerfrommasterlist
Now you have an empty cluster and you can get rid of the cluster master and point the SH in distributed search like mentioned above
https://docs.splunk.com/Documentation/Splunk/7.2.4/DistSearch/Overviewofconfiguration
Sorry @bestSplunker it seems the scope of your question changed. So no, a single indexer most likely doesn't contain all the data. To transform an indexer cluster into a single indexer you need to decommission one where indexer at a time so the cluster master will order the copy of buckets to the remaining machines in the cluster.
If you want one of the current indexers to contain all the buckets:
1 Choose one of the machines to be the remaining one.
2 Put the remaining two in detention mode so they won't be getting more data from replicstion process when you take decommission another peer: https://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Peerdetention
3 decommission one peer at a time using Splunk offline enforce counts command so the buckets from that peer are copied to the one you elected as the remaining one after this whole process is finished. https://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Takeapeeroffline
4 check on your cluster master when bucket fixing process has finished, meaning the necessary bucket replicstion happened to fulfill your Replication and Search factors.
When it is finished, repeat step 3 and 4 until you have one indexer only. It will have all the buckets and all will be searchable. Consider storage capacity for this.
5 remove the peers from the cluster until none is left (since you want only a single machine without any clustering activity)
https://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Removepeerfrommasterlist
Now you have an empty cluster and you can get rid of the cluster master and point the SH in distributed search like mentioned above
https://docs.splunk.com/Documentation/Splunk/7.2.4/DistSearch/Overviewofconfiguration
Alright that will be easier then. Just spin up a Splunk instance that will be your search head, and add your current one as a search peer in the distributed search menu of the search head. All the data will be searchable from the search head. Then you can disable the UI interface of the indexer.
Don't forget to forward all the data generated in your search head to the indexer so you can track everything about it
https://docs.splunk.com/Documentation/Splunk/7.2.4/DistSearch/Overviewofconfiguration
@bestSplunker if this solved your problem, please accept and upvote the answer
@tiagofbmm Are you sure it works? In an indexer cluster, if I separate one of the indexers from the indexer cluster, does the indexer hold all the complete data? Because I try to search for the same data in each indexer, different indexers in the indexer cluster will return different results. If the data is searched from the search header, it will be merged back to the search header.Therefore, in the indexer cluster, the data stored by each indexer is not complete, and it needs each indexer to return the merged results to the search header in order to provide complete data.
Create a new instance to be your cluster master, one to be your search head that will search all the indexers. You will not loose any data but only the newly created buckets of data will respect your Replication and Search Factor, but all your past data will remain available.
Follow this guide
https://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Clusterdeploymentoverview
@tiagofbmm I'm sorry, but I corrected my question. In fact, I want to convert it into a distributed search
with 1 sh + 1 indexer. I don't need an indexer cluster anymore, nor do I need a master node.